Every time you let Claude Code work, it stopped every 3 seconds to ask permission. Auto Mode fixes that with a safety classifier that screens every action.
On Monday, March 24, 2026, someone injected malicious code into a library called LiteLLM.
A library downloaded 97 million times per month. Whose only job is to hold all your API keys.
The malicious code stole SSH keys, cloud credentials, Kubernetes secrets, and crypto wallets. It didn't wait for someone to import the library. It executed automatically on every Python process running on the machine.
That same day, Anthropic released a new feature for Claude Code called Auto Mode.
The timing isn't a coincidence.
Until now, developers who wanted Claude Code to work uninterrupted had to run it with --dangerously-skip-permissions. The name says it all. It's like handing someone the keys to your house, your car, and your bank account, then leaving for vacation.
Auto Mode is the middle path. If you're new to Claude Code, check out the tutorials here.
1. What Auto Mode Is and How It Works
Instead of approving every file write and every Bash command manually, Claude Code runs a classifier. A safety filter that screens every action before it executes.
The filter checks for 3 things:
- Mass file deletions
- Sensitive data exfiltration
- Malicious code execution
Safe action? Proceeds automatically. Risky action? Gets blocked, and Claude Code tries a different approach.
If Claude Code keeps insisting on blocked actions, it'll escalate to a manual permission prompt. That still happens. But instead of 50 approvals per minute, you'll get maybe 2 or 3.
2. Why This Matters Right Now
The LiteLLM attack showed exactly why permissions matter.
TeamPCP, the threat actor group, first compromised Aqua Security's Trivy vulnerability scanner on March 19. Then Checkmarx's KICS on March 23. Then LiteLLM on March 24.
Three supply chain attacks in one week.
When you run --dangerously-skip-permissions on Claude Code, you're giving an AI agent full access to your system. If something in your environment is already compromised, there's zero defense layer. Auto Mode doesn't solve everything. But it adds an automated screening layer that at least catches the obvious stuff.
3. How to Enable Auto Mode
claude --enable-auto-mode
That's it. One command.
After enabling, press Shift+Tab inside a session to switch to Auto mode.
💡 If you're working in VS Code, first enable it in Settings → Claude Code → check Auto Mode. Then select it from the Permission Mode dropdown inside the session.
⚠️ Important: Anthropic recommends running Auto Mode in isolated environments (containers, VMs). It's safer than skip permissions, but it's not bulletproof.
4. What Auto Mode Doesn't Do
Let's be honest:
- The classifier can miss risky actions if your intent is ambiguous
- It can block harmless actions by mistake
- There's a slight increase in token consumption, cost, and latency
- It's not a replacement for code review
Auto Mode is an additional layer. Not the only layer. If you're building AI agents with Claude Code, it's an important tool in the toolbox. But it doesn't replace thinking.
5. Who Gets Access
As of March 25, 2026:
- ✅ Claude Team plan. Research preview, available now
- 🔜 Enterprise plan. Rolling out in the coming days
- 🔜 API users. Rolling out in the coming days
- Works with Sonnet 4.6 and Opus 4.6
Admins can disable the feature with "disableAutoMode": "disable" in managed settings.
The Takeaway
The LiteLLM attack and Claude Code's Auto Mode happened on the same day. That's not a coincidence. It's a signal.
The environment where AI agents operate is getting more complex. Supply chains get compromised. Libraries everyone trusts become attack vectors.
Giving an AI agent full access to your machine with zero checks is Russian roulette.
Understanding that security is layers, that Auto Mode is one layer of several, and that you also need containers, code review, and a clear understanding of what the agent is actually doing, that's building it right.
- Install the latest version of Claude Code
- Enable Auto Mode with
claude --enable-auto-mode - Verify you're not using LiteLLM versions 1.82.7 or 1.82.8
- Run agents in isolated environments (Docker, VM)
- Code review every significant change
Pick your first Claude Code project and start building with the right defense layers.
FAQ
What's the difference between Auto Mode and dangerously-skip-permissions?
--dangerously-skip-permissions disables all permission checks. Claude Code does whatever it wants. Auto Mode runs a classifier that screens every action before it executes. Risky actions get blocked automatically.
Is Auto Mode completely safe?
No. Anthropic says so explicitly. The classifier can miss things, especially when intent is ambiguous. Best to run in an isolated environment.
Does it cost more?
Slight increase in tokens and latency. Not significant in most cases. Worth it for the ability to let Claude Code work without stopping every 3 seconds.
Does it work with all models?
Only with Claude Sonnet 4.6 and Opus 4.6. Not available for older models.
When will it be available to everyone?
Enterprise and API users in the coming days. Team plan is already live. On the Desktop app it's off by default. Enable through Organization Settings.
Subscribe to our newsletter to get tips like these straight to your inbox, every week.